Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: MysteryFCM on August 06, 2009, 09:09:48 am

Title: Alert: Yet more malicious Microsoft e-mails
Post by: MysteryFCM on August 06, 2009, 09:09:48 am
Following on from the previous Microsoft e-mail botnet;

http://hphosts.blogspot.com/2009/08/yab-yet-another-botnet-microsoft.html

.. I'm now receiving several e-mails pointing to worm infections hosted on RapidShare, going through king.cd

http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html
Title: Re: Alert: Yet more malicious Microsoft e-mails
Post by: SysAdMini on August 19, 2009, 11:10:44 pm
Quote
91.207.116.22 is located on a Rushkranian block, apparently owned by Rise-v Ltd, which was also the source of the exploit at kervinly.com.

Today we've seen more of these fake Microsoft e-mails. I have checked the file at the given url
hxxp://update.microsoft.com.vciii.net/microsoftofficeupdate/isapdl/de.aspx/officexp-KB910721-FullFile-ENU.exe

It downloads a Zbot trojan from domain shipal.eu at the known ip 91.207.116.22.
http://www.virustotal.com/analisis/20bdac97d430bcb74805f94faefdf5e6424b38f00bd61e97372c0fc17c5c6a8b-1250721169 17/41

Therefore I have checked what else can be found at this host.

Here is the list:

http://www.malwaredomainlist.com/mdl.php?search=91.207.116.22&colsearch=All&quantity=50
Title: Re: Alert: Yet more malicious Microsoft e-mails
Post by: MysteryFCM on August 19, 2009, 11:14:59 pm
Nice one, cheers :)